CVE-2026-40177
Two-Factor Authentication Bypass in Ajenti.plugin.core Before
Publication date: 2026-04-10
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ajenti | ajenti_plugin_core | to 0.112 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects ajenti.plugin.core versions prior to 0.112 and allows bypassing password authentication even when 2FA is enabled.
To detect if your system is vulnerable, you should first check the installed version of ajenti.plugin.core.
- Run a command to check the installed version, for example: pip show ajenti.plugin.core
- Alternatively, you can list all installed packages and filter for ajenti.plugin.core: pip list | grep ajenti.plugin.core
If the version is earlier than 0.112, your system is vulnerable to this password bypass issue.
There are no specific network detection commands or signatures provided in the available resources.
The recommended mitigation is to upgrade ajenti.plugin.core to version 0.112 or later.
Can you explain this vulnerability to me?
CVE-2026-40177 is a high-severity vulnerability in the ajenti.plugin.core package affecting versions prior to 0.112.
The vulnerability allows an attacker to bypass password authentication even when two-factor authentication (2FA) is activated.
This means that the intended security provided by 2FA is compromised, enabling unauthorized access without proper password verification.
The issue was fixed in version 0.112 of the package.
How can this vulnerability impact me? :
This vulnerability can have a significant impact by allowing attackers to gain unauthorized access to systems using ajenti.plugin.core versions prior to 0.112.
Since the password authentication can be bypassed even when 2FA is enabled, attackers can circumvent this additional security layer, increasing the risk of data breaches or unauthorized control.
Such unauthorized access could lead to compromise of sensitive information, disruption of services, or further exploitation within the affected environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the ajenti.plugin.core package to version 0.112 or later.
This update fixes the password authentication bypass issue when two-factor authentication (2FA) is activated.
Applying this patch will restore the intended security controls and prevent unauthorized access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to bypass password authentication even when two-factor authentication (2FA) is activated, enabling unauthorized access without proper password verification.
Such unauthorized access can lead to violations of security requirements mandated by common standards and regulations like GDPR and HIPAA, which require strong authentication controls to protect sensitive data.
Therefore, if exploited, this vulnerability could compromise compliance with these regulations by undermining the effectiveness of authentication mechanisms designed to safeguard personal and health information.